The Hive is a scalable open source and free security incident response platform.

It is expected to be life changer for SOCs (Security Operation Center), CSIRTs (Computer Security Incident Response Team), CERTs (Computer Emergency Response Team) and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Multiple SOC and CERT analysts can simultaneously collaborate on investigations.

Features:

Live stream (everyone can keep an eye on what’s happening on the platform, in real time.)

Real time information pertaining to new or existing cases,

Tasks / Cases management (Two cases can be easily merged together if you believe that they relate to the same threat or have a significant observable overlap.)

Thanks to TheHive4py, TheHive’s Python API client, it is possible to send SIEM alerts, phishing and other suspicious emails and other security events to TheHive. They will appear in the alert panel along with new or updated MISP events, where they can be previewed, imported into cases or ignored.

Observables can be associated with a TLP and the source which provided or generated them using tags and the tool can automatically identify observables that have been already seen in previous cases.

Starting from Buckfast (TheHive version 2.10), analysts can analyze large amounts of observables in a few clicks by leveraging the analyzers of one or several Cortex instances depending on your OPSEC needs: DomainTools, VirusTotal, PassiveTotal, Joe Sandbox, geolocation, threat feed lookups and so on.

Customizable: Security analysts can add their own analyzers to Cortex in order to automate actions that must be performed on observables or IOCs. They can also decide how analyzers behave according to the TLP.

TheHive is written in Scala and uses ElasticSearch 2.x for storage. Its REST API is stateless which allows it to be horizontally scalable. The front-end uses AngularJS with Bootstrap.

TheHive is an open source and free software released under the AGPL (Affero General Public License).

CORTEX

Observables such as IP and email addresses, URLs, domain names, files or hashes can be analyzed one by one using a Web interface. Analysts can also automate these operations and submit observables in bulk mode through the Cortex REST API from alternative SIRP platforms, custom scripts or MISP.

Use one of the several analyzers it contains

Create your own analyzer using any programming language supported by Linux

Querry ISP expansion modules from Cortex.

Cortex and TheHive:

Analyze observables in a few clicks using one or several Cortex instances depending on your OPSEC needs and security requirements.

Integrate Reporting features: TheHive comes with a report template engine that allows you to adjust the output of Cortex analyzers to your taste instead of having to create your own JSON parsers for Cortex output.

Cortex can be used as a standalone product thanks to its simple yet powerful Web UI or interface it with other security incident response platforms through a REST API.

Identify abuse contacts, parse files in several formats such as OLE and OpenXML to detect VBA macros, generate useful information on PE, PDF files and much more.

Cortex is written in Scala. The front-end uses AngularJS with Bootstrap. Its REST API is stateless which allows it to be horizontally scalable. The provided analyzers are written in Python. Additional analyzers may be written using the same language or any other language supported by Linux.

Cortex is an open source and free software released under the AGPL (Affero General Public License).

Hippocampe

A simple, efficient, threat feed aggregator that you can query easily

Hippocampe is a threat feed aggregator. It gives your organization a threat feed ‘memory’ and lets you query it easily through a REST API or from a Web UI.

With TheHiveas a security incident response platform, you can customize the JSON output produced by the analyzer or use the report template provided.

Hippocampe aggregates feeds from the Internet in an Elasticsearch cluster. It has a REST API which allows to search into its ‘memory’. It is based on a Python script which fetchs URLs corresponding to feeds, parses and indexes them.

Hippocampe regularly downloads and parses text-based threat feeds, public or private, from the Internet and stores them in Elasticsearch. (Can be supervised)

Hippocampe allows analysts to configure a confidence level for each feed that can be changed over time and when queried, it will provide Hipposcore, a score that aids in deciding whether the observables are innocuous or rather malicious.

Hippocampe is an open source and free software released under the AGPL (Affero General Public License).

TheHive4py (TheHive4py is work in progress)

A SOC may ask its constituency to send suspicious email reports to a specific mailbox that a script polls at regular intervals. When a new email is received, the script parses it then calls TheHive4py to send an alert to the TheHive. Then Analysts can import it as a case

TheHive4py allows analysts to send alerts to TheHive out of different sources. Those alerts can then be previewed and imported into cases using pre-defined templates.